Re: [GENERAL] Problems with kerberos 4 authenication - Mailing list pgsql-general

From Tom Ivar Helbekkmo
Subject Re: [GENERAL] Problems with kerberos 4 authenication
Date
Msg-id 86ogmqzvdx.fsf@athene.nhh.no
Whole thread Raw
In response to Problems with kerberos 4 authenication  (Rodney McDuff <ccmcduff@its.uq.edu.au>)
List pgsql-general
Rodney McDuff <ccmcduff@its.uq.edu.au> writes:

>     I've compiled postgresql 6.3.2 with kerberos 4 support (using
> the KTH-KRB Ebones distribution) on a Alpha running DU4.0D.

I've been using KTH Kerberos IV with PostgreSQL for a long time, and
it's always been working great, until very recently (about which more
later).  Right now, I use PostgreSQL 6.4.2, under NetBSD on i386 and
Sparc systems, with no problems.

> I create a postgres_dbms principle in /etc/srvtab (and arranged for
> the postmaster to be able to read this file) and made the
> appropriate modifications to pg_hba.conf file.

(It's "principal", not "principle", by the way.)  You probably
shouldn't do it this way, since it means opening up access to your
main srvtab file more than you should be comfortable with.  Use
ksrvutil to create a separate srvtab for PostgreSQL, and modify the
Makefile.global file in the main PostgreSQL src directory after
configure, before make.

> I've then use kinit to get a krbtgt (ticket granting ticket) which shows up
> using klist. I then type "psql database" and get a "User authentication
> failed" error. Running the postmaster in debug mode shows up
>
>   "pg_krb4_recvauth: kerberos error: Can't decode authenticator (krb_rd_req)"
>
> (which is a kstatus of RD_AP_UNDEC=31). But whats really werid is that I
> successfuly get a postgres_dbms ticket from the KDC (which shows up in both
> the kerberos logs and under a a klist).

I see the exact same behavior with the current CVS version of
PostgreSQL, and have been trying to find time to study it more
carefully and post a description of the problem.  I assume something
was done to the communication between front end and back end that
broke Kerberos.  I can't recall if I ever ran the actual 6.3.2 -- I've
been tracking CVS mostly -- but I can confirm that 6.4.2 is OK, so you
might want to upgrade to that before going further with your problem.

-tih
--
Popularity is the hallmark of mediocrity.  --Niles Crane, "Frasier"

pgsql-general by date:

Previous
From: Rodney McDuff
Date:
Subject: Problems with kerberos 4 authenication
Next
From: Bryan Mattern
Date:
Subject: Re: [GENERAL] GIS/GPS Experiences with pgsql?